A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Final Version of 2017 OWASP Top 10 Released (SecurityWeek, Nov 21 2017)
The final version of the 2017 OWASP Top 10 was released on Monday. Cross-site request forgery (CSRF) has been removed from the OWASP Top 10 as modern development frameworks ensure that such vulnerabilities are avoided, which has led to CSRF being found in less than 5% of applications. Unvalidated redirects and forwards have also been removed as they affect only around 8% of apps.
Who’s Driving Security for Uber? (WhiteHat Security, Nov 21 2017)
The news was just released that a massive breach hit Uber in October of 2016. The personal information of 57 million Uber users and 7 million Uber drivers were stolen, including names, email addresses and phone numbers. In addition, about 600,000 drivers’ license numbers of Uber drivers were also stolen.
GitHub starts scanning millions of projects for insecure components (Naked Security – Sophos, Nov 21 2017)
The code repository will warn you about insecure dependencies
How to fix a program without the source code? Patch the binary directly (Ars Technica, Nov 17 2017)
Microsoft abandons typical Patch Tuesday playbook to fix Equation Editor flaw.
New IBM Quad9 DNS Service Makes the Internet Safer and More Private (IBM, Nov 16 2017)
Unlike many other DNS services, Quad9 makes use of aggregated data, but by design does not store, correlate or otherwise employ any personally identifiable information (PII). Quad9 does not and never will share any of its data with marketers, nor will it use this data for demographic analysis.
5 cloud storage predictions for 2018 (Help Net Security, Nov 21 2017)
1. GDPR will catch most SaaS providers unprepared, 2. Decentralization will become focus of governments worldwide, 3. Emergence of cross repository governance and protection products, 4. Ransomware protection takes a front seat, and 5. Data loss prevention by content machine learning
Amazon Creates Classified US Cloud (Schneier on Security, Nov 21 2017)
Amazon has a cloud for US classified data. The physical and computer requirements for handling classified information are considerable, both in terms of technology and procedure. I am surprised that a company with no experience dealing with classified data was able to do it.
Can you hear me now? APIs are vulnerable! (WhiteHat Security, Nov 15 2017)
All the attacker would need to do is change the phone number value in the API call and it would give the attacker all the information on that phone number. Essentially, an attacker could script this and run through all phone numbers to pillage account information for all T-Mobile customers.
How Not to Store Passwords: SHA-1 Fails Again (X-Force Research, Nov 06 2017)
Problem: How do you store a password but make it nearly impossible to recover the plaintext in the event that the database with the password hash is compromised?
Mitigate Digital Transformation Cybersecurity Risk With ‘DevSecOps’ (Forbes, Nov 21 2017)
The inevitable conclusion: how organizations deal with cybersecurity risk must also transform. They cannot simply keep dealing with such risks as they have in the past.
Static Code Analysis: Binary vs. Source (Checkmarx, Nov 21 2017)
Two main offerings exist within the Static Code Analysis sphere: 1) Binary or Byte-code Analysis (BCA): Analyzing the binary\byte code created by the compiler, and 2) Source Code Analysis (SCA): Analyzing the original un-compiled code, as written by developers.
Sad state of enterprise cloud infrastructure governance (Help Net Security, Nov 20 2017)
A new survey of more than 300 IT professionals, conducted by Propeller Insights in October 2017, revealed that the state of enterprise cloud infrastructure governance is extremely poor.
RDPY – RDP Security Tool For Hacking Remote Desktop Protocol (Darknet, Nov 20 2017)
RDPY is an RDP Security Tool in Twisted Python with RDP Man in the Middle proxy support which can record sessions and Honeypot functionality.
FDA: DevSecOps and Nobody Dies (Blogs – DevOps.com, Nov 16 2017)
Dr. Suzanne Schwartz, CDRH Associate Director for Science and Strategic Partnerships at the Food and Drug Administration (FDA), recently released a blog to update us on the FDA’s role in medical device cybersecurity.
Capital One Previews Fintech Tuned Container Platform (IT Pro, Nov 21 2017)
The financial services company moves into proprietary waters with software it acquired in last years purchase of Critical Stack.
Use the New Visual Editor to Create and Modify Your AWS IAM Policies (AWS Blog, Nov 17 2017)
AWS Identity and Access Management (IAM) made it easier for you to create and modify your IAM policies by using a point-and-click visual editor in the IAM console.
AWS IoT Update – Better Value with New Pricing Model (AWS Blog, Nov 21 2017)
AWS made a change to the AWS IoT pricing model…most customers will see a price reduction of 20-40%.
How to Encrypt and Decrypt Your Data with the AWS Encryption CLI (AWS Blog, Nov 20 2017)
You can now encrypt and decrypt your data at the command line and in scripts—no cryptography or programming expertise is required. The new AWS Encryption SDK Command Line Interface (AWS Encryption CLI) brings the AWS Encryption SDK to the command line.
How to Patch, Inspect, and Protect Microsoft Windows Workloads on AWS—Part 1 (AWS Blog, Nov 21 2017)
Most malware tries to compromise your systems by using a known vulnerability that the maker of the operating system has already patched. In today’s blog post (Part 1 of a two-part post), AWS show how to keep your Amazon EC2 instances that run Microsoft Windows up to date with the latest security patches by using Amazon EC2 Systems Manager.
How to Patch, Inspect, and Protect Microsoft Windows Workloads on AWS—Part 2 (AWS Blog, Nov 22 2017)
How to take regular snapshots of your data by using Amazon EBS Snapshot Scheduler and how to use Amazon Inspector to check if your EC2 instances running Microsoft Windows contain any common vulnerabilities and exposures (CVEs).